Next: vnc_generate_server, Up: vnc_generate_cert
This step only needs to be performed once per organization / organizational unit. First the CA needs a private key. This key must be kept VERY secret and secure. If this key is compromised the entire trust chain of the certificates issued with it is lost.
# certtool --generate-privkey > ca-key.pem
A CA needs to have a public certificate. For simplicity it can be a self-signed certificate, or one issue by a commercial certificate issuing authority. To generate a self-signed certificate requires one core piece of information, the name of the organization.
# cat > ca.info <<EOF cn = Name of your organization ca cert_signing_key EOF # certtool --generate-self-signed \ --load-privkey ca-key.pem --template ca.info \ --outfile ca-cert.pem
The ca-cert.pem
file should be copied to all servers and clients wishing to utilize
TLS support in the VNC server. The ca-key.pem
must not be disclosed/copied at all.